Code

Opened 7 years ago

Closed 7 years ago

#5760 closed (wontfix)

Use keyed hashing for session data, remove duplicate code

Reported by: Nir Soffer <nirs@…> Owned by: nobody
Component: contrib.sessions Version: 0.96
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Use hmac instead of md5 to create a digest of session data. Using hmac is probably more secure than the home built md5 implementation. Also, the current implementation uses hexdigest() when digest() is just fine.

While replacing the hash, extract the digest code to a new function to remove duplicate code.

Issues:

  • Old session will be invalidated with this patch

Attachments (1)

session.patch (1.9 KB) - added by Nir Soffer <nirs@…> 7 years ago.
patch

Download all attachments as: .zip

Change History (2)

Changed 7 years ago by Nir Soffer <nirs@…>

patch

comment:1 Changed 7 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

I don't think the churn is worth it here, since invalidating existing sessions is a little annoying. If somebody constructs a string that collides with our MD5 hash, there's not a lot they can do, since they really need the right string to be able to work out what's in the session. MD5 is vulnerable to collisions, not reverse-engineering.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.